From 61f7fe399a45472ca73a7b373b756596e80b3d38 Mon Sep 17 00:00:00 2001
From: Andreas Auernhammer <github@aead.dev>
Date: Sat, 20 Dec 2025 22:12:13 +0100
Subject: [PATCH] update README and add TLS handshake svg

This commit adds a brief summary of the `mtls` module
and a svg image showing the "regular" and mutual TLS
handshake, and how clients resp. servers verify their
peer's identity.

Signed-off-by: Andreas Auernhammer <github@aead.dev>
---
 .github/tls-handshakes.svg |  4 ++++
 README.md                  | 41 ++++++++++++++++++++++++++++++++++----
 2 files changed, 41 insertions(+), 4 deletions(-)
 create mode 100644 .github/tls-handshakes.svg

diff --git a/.github/tls-handshakes.svg b/.github/tls-handshakes.svg
new file mode 100644
index 0000000..4ad783d
--- /dev/null
+++ b/.github/tls-handshakes.svg
@@ -0,0 +1,4 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 773.5163227770003 666.726403823178" width="1547.0326455540005" height="1333.452807646356" filter="invert(93%) hue-rotate(180deg)"><!-- svg-source:excalidraw --><metadata></metadata><defs><style class="style-fonts">
+      @font-face { font-family: Excalifont; src: url(data:font/woff2;base64,d09GMgABAAAAABH4AA4AAAAAHtAAABGiAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGiIbhnYcNAZgAIEkEQgKrBigXgtAAAE2AiQDfAQgBYMYByAb4xdRlLJaKbIvEjIcY6inoi0qldOp1Jl8sr30x50gnj/13s+YGF4domNRSYM1L3Mq3t7w/Lne5+YGtwblRQ3Ky1jgqlN1sjqrgzqJPE9/b553/y512k3F0jnj3dKxVwpQxZgFKBQKws6n0y/pbSe1A4bAJ1tJPuACsR3v7lV5W1/RS63UDggMAZEhyYIh8AFgNHPn08/t5wHNJYvo9Sd5oRRSmlixpjqAioUCUpkIBShcx9dI3r8SXRF02JWFDhhXx6QqEV3fpcrXmlrXKt1F3aaSYBOkUJnLSTwB0IM4EgSKu+EoIDQSEPNlWv500GVLUiYQnba3NgDRZaujHojuyno1AREUgDMk7tbR2gSIZQEQU3D2APwpIYJoCgLBjZxe4UhAwwGxo7JwD3HO9y/Te/3/1MaDkmj05p3zx38DFMbNBN3oVzE8Nuq+nMZH9xnzUfFWoyzSXF42uMARkVHQ0DEwsXHxCQi5rUJGiH8DU2QVSiZR8zELgoAjdsFCIq7i3UgY6MiYKOuujw9a4RIAktxXwEtCLdsaJOScDnW9avmPsAoniwDPj1iNAsQlMKMgk/htbQy1LwF156IIsiynUrwR2nHmQIHBJDV52vz/PDOZ0GSAIWYsnAsAr2gpcQAC/QIQG4587FhTwCEg0171+TcWYF4c1EcGwIeL3srJnRFbjkElKNKjJmNGQqPLedKKYWSTLFMJh1oNnPpoH/xnqjz0STK8y9So16T1+3Tzltc86VEPetmZ244c2Dc3MwECbjGQ0E5wkpc/AtUGAPXXSPcBRj4MQglcc59J1uCHLfqxlPyE4qjKtNSAII6GHxJN9+QYReIktVEo8XIJ0RUkWuMn21p6E73Mjksrv8pNmgSAwN2C+PFzIPoNwXJwI+jTPtzuzJG86bKBrjucY374rLqrVqVCiQDMfIPQqTpZZk5eFMX5Im20xSnBuJ4u9vDw3XsNGlAYvJW3XDao9IbW55an3rwf/zmt7ZcAiW/X6+zu1GDiecE/4ze+MFK96kSmaZleYe5rtg/yNVd+cCAXGnnE4euvm16CTR7hrEwxHt4Ic74xbUKJdI+FiA1S4I7jnIyAYEEKPWVlpncHUhvkQMQ3FcqKBCAkAMUprg+qm4v6DmYRH2LMt7CzpetOV3d2rWw5sAER7bJNTe9e7d46wxwrOd8HJ6ftknbCnE00f70tAN0I2mDQdGuu/MQfuUlvLm6eVe6pquMw1MMz0yuL9roAxO8A+npiepb6Up7QBNKEUk3zT/yXpCjd2UShrDBZcVBo+H8JkF86WGU7/6ALAgIEjnUJA+mFsDr8lKtdVY3M34LpwaRfphTCpg25wv+2WDTEXgIh7UNawMAuF6Q3IM3/FErRgR4O8WyZLu9/7hXKulYJJZKaDlbC49G73szkw+wwe4T5o0f4y7dp4GujupsaLI5BLIAYa8F+AQv+PdcWl+7H8RmmkCOxs+VUGJKrBgF7lx62WFV9lfksw16SWJ5qUXVnmQYEEgJS94Q7NgwXnCCGD0mh0WJeI0sERNl0B7qDPzSxVzPNJLtnzVTLm2GTwrcp1MipkeFeNQw3NgwixuKEGzdjucJYyEIH99S1dzm+ZnpNmlAAE0ibtIDbsDqO32AC4kMoXBXJqmc9ut7qOT0UixPx49Gp/HR/7bakZK8VqeOcc8xNb74tSoLDN+8VvK8nxVzwV74kpEbRzXpquN8RAgm1KfyZ4J2SO3anSD52Wr1bH15Tr2f7/eUgKPnAjRnqIjYF4+en7HYAg6+TwmrRvma/NW66KwyFsqor1ZwUZbzYWuRbUQ9HSo8sug+Dow274YuSVj4fbBcwAMRw61dXr4/F77baV0wPK5PUkJ8Jb6pPlXEG76RHN8RnseF+U/e1jeLLybdW9mVW1i5fOiE2QtKJSWnieWZ2rRp9U3f38qXSmlvfkRU5jR/nAozeIoZ7hulO6HDcU5uysiWPH2ecc0rNbp5cwC6OKGemt3ylOFq07fk64z8kfYjSbjU6rFFO4ZKQvk/b4Ld4ZYCYlCisRq/Tst0JNqDd9rUcnofK4oc8Mz1he9ucOwaPy5Q8/qogtTLYb+RvSLEBcqZZHKX2iXFlZ5FHkc67+mtdqSq8lp23i6IcaE3adBHb6Yab+pZa3FTHItNbtilsUm1dCC0oOp0yBWSNYxLJIetGX39guECAiJJf/0CPFHYqTHeG0CsHmt3W+O4u5sMhHr7Jk21aLkLT7mgBIHHz7v9gZ6HFHHzYOjS94uNiJkDG8d2Wp9QiC0M2QDJyQQxIDvZKxO9odBsmvxPCGENSjnRUT1W3Xn3bZREUfIG2+GIsPzBsoYlmUMr/451VGtz9bK8RvL3/evKff9+99uW9fV+zQW64KTLGS0sjQEZgvUwD4pP1MHi1strFi1YjiyeQUs1utniE75zpZJLcMz2LRyiVaBT3CVH33R+VvcSbnofrLLm3yTiOAfHhfrFcBLtxO3tnujZdYf90q3IULYQoBu4Y7ZoLsx5+d/Yl1oev98u0gLXsXvb665O5HMRjAdxLYGmn2adpYnEAFv+AqMZpubwORvnjr8h4zU1TxELWZZu6aKTpgF1F4WaodK7r7DgfYj4xO3oSGGnrp2lCTe+k8mJvK17O5DSB/TkbtO1ivrNEmi5Dg5tnZDf8pFut6YJDi18pFywHQR9SzK/xXT6McLT470leo+aGE+bmW8jRAAj5ENf9v4t2dH23FanF64nhrhyshs6WqvZMD/ZLZGm9GVyp8WwY7eJIVXnEOV73/2HQ/6hBfI0I0BbnCCF+yTc8VCndhpvPbDO/ZZETmSPj9qWnzNKr1czioTFIDMeWbepV0rA71jyOZKCVmlZ83cw4knSWMfP48DHUIaD5l/AVZxMh61hItbDu4WrXJQQDc540uyV77H7TH8Ds3t8tBPhDLdR8K6jIzdQgrxDOJOW6+a3vyqwG49SDFzYqeIlQe8UzzbRUSknJUWC/xj8vFLHV3U96QX1pKk5UkC4qTeKKvBu/JWAzoxRydnIZD4sN1y41z7t62x1Gr6AXcD7PwULUPGRicBaYAUWP8OjZZchayK0tmGrI14ur22Q43IeBwo/l5h9Ng9wHnEyFD4pqjEwGgP63mWsyxxX1MMmFb95/M+fPTrEH65vE0wCyjU9H2HRLVruwX9rgRAHYnD2UZFcjpfEGrEN11kLmEHHdxba4GhV3KFbjLbD3YygKY3P9KHlQOnwIYS9nfBM2tBLpJKtcApkg2i4W0cAFP7XiAYiN71dQa1eFVQp567ohBM5pdoVS6SSzq2cqu9cWGfjBII2kdzmIU2yo9m28vyo/pB83IcC72IeIl0AvZ/lS2MtoCSvf5H7xLBKzSXlNr1RyKB/PWZw+Ln0AYI5WDSQh9Vpw2tbz+EyC/Xv4WnbZHF9Cdi9AmEEGm/jmkqa2XIU+1C8SIrlku9qjlygsYI/8FHItsJQ7ZGb7kpREZQaRayo0sqcdeEwhXLWOPgH3V6ljnyCta6U5BbPwXJ6TB9CXKUsYy807SToIdA0l1Ict4qGYNQoI0wanKFatLVAytA81swKgtV80OiiB9GryrAxzQFaje2e0y/UFm1vs/lAnsuvBuMFW0Pr9y3B4RvlIHQWbPBIuhOzsGv+N/YO3J4vJ+OF5idK2ySFxKSOKv+qjGx2gS2gMckApGBs9paUX+ttNjFRoYIvk/9A91yXa7Ve556wMfiFBhzlGIIudDMxJtkEPE1Bv3CKXEqE5DOcSJ3UFlY3pHuuwV4QccJFIJs1diggGKfYyjgPfW2o7k382CPLHNBT5g57PuktD6DYMS3RIlsFhjEhqagLDk5KFRcNf4fiLtfjnZNpJTAOO4I/1As2EuhupWVwvyMu826dSMcXmkkpg1s4NP1tYMJGfwlcUCCbQU9HfAJsrX205qgpew9O7G1syDUXM61B/hw3pRwhOQIOm5W51orUiQG5UWj0TtKRCKGMAnunKfUfj1t1hziKLP2Auo8Qu4xH7YNULiW2uVGtXhDvHzEoKDsjLZnR3nOzOZFq/vFroo0olHbTcyzrDzAeFrUOitE8VjNu/cEvTpKG8EvcXum55VU+cuvsQculrxKUZL6d89AjeCxuiln8O/J0MbanHWoMJgn5FYCUr4NStjT/xtBgCKXVYRwr1YYJHLEJA2gm4P68yhcUohqN3fUh3nRUM7BPUepU0WaUr88sRu+oSJK9DCJzGd8KmJhdr/NHu4OXO7XL+9xyfmBncJbCVlOkIAu77x1RVdbFpSYJPFYda0uI0aFoewuMGNdw7RV9VnjSMPaT7trFVreA8GmnnpaWiBk+TMv9VX6ztq57sBmc8CZrYwuWcCaxeAj5yiZor3q18F+OLvZ71wfE1NOo1Cn+0AiA1ml+QP5zIQgpgHv2PJxsLN0wp3QyB/+cL0SD0cxyhzJLvTA/i8eQ2jjR3kTjXCwpjmVvApMOPfrrJyCuHlrGZ9vQZutGBHcp2KIKZwxwlOLsc0MZdCXZCLkHk9lJz/AK3sfmyL1HhB8F+nnVglevNCvN4vf+zlVQmXo3glh9HetmPDgNvumNK8+PdjmzoGWimG27BfdzLKhVeuyCYiMNFAdd8zN2j/iH1HixiO8EtBGmALOSJ/jtUGJyK16oLlNBSGxjC5nffgwYIaAQy5aQIppz3aeeJpfAgDLGSab603YQZ8RBilm1aRuvoBlthspBVVc3SF2o22vgKnCjXh4Wks7UpLUtM+6TxlBluWDJCYhg/yI7WedPDIOOWq8rsZuUtnXxZ3eT6LRJrFisNOQyJXslqwB3Uq/ZA/G+0ts6rdqPeY3Zcwui47iDLhrjGAeKvDqe/LNEjmxcfbqHoF1dDikytj/T4HmbmFBPR3ZsCkRs/bKkH81udzlvZ+5nuVvIqIqgagdILSaZBH06xzTTCtN4Sf9tf6sB3TbGKW+nBC1ASPFJOqIusnDondOaBaFduvM2SuVH9jZLosmgAvQNMUk6jmzhYl4LKD1LQoGWL+SvGFwwt4WAk0QQbh7raOmAMma0eC1p7tPERUSse9sTQkXiEB5uAfoV9VR0e+NpteZeOIj49LaSP78JkQ5ZIH2Ipv+SKNz4vVGVgsBz5GLDV1MfGTR+BpX3Y1vv39Ssjvr/fmvUxN8xQ/IjAbJEPHAg4Sz0F6ks71JRODceWbTxyg+TWVX77gTGCnUs9FF69q4a3XOuOOKvUAbe69D0r1oEhZd8tjC5+kcUlnJy6SfTPEez/2b5VP9zct7a/Fe3N2Xio526arrQzLNneIhsIblFxQqR+zItBDkE6HNvZLpUt3zIyJGj1FAFkpmTRcO03tiJgiBWRaWGVOtIv/UK5x1GS276EKnGCR/i5DQQELV1Gl/t5a8LRGJr10x9WHrhHYB7dfSq8SGjf1JfvNgQoihyoNr+CwMoorB81atfCz4//KAQ5ixeIrhVceZaBz+6SoYeSXAgPwvX9TJnmovFhd/UrmZVyo78eJ4B7bbIZajm1OGLi+pipl25YIuTCiquuBQ36MrKNP9iD+X2wFff+gJTSfawXO+Y8uJ7zJyK1GjVFT8joLxArkjtiW4LfwZFqp2Bz7IbAsEhSrFJEBgAg/Bd8/30eXuIS/ZVIQV4AAFu7lwkA+C593fl/+L8TfYVGAEANzlH5b6WpzmKof38AiJlQilNVDsxlMgDxA3zKVOBRWMAQDZCmN+AnBnhHCmj5BzhpAqQqD0BZCMjRAU28QUj5AWQpAp4RAteEgRBfACNc4OshCA4dRCQX+EcIwsp8EBAp8IgngKJ6xtMALSwQ2BLL5DrAkUwKsu8CQHYlHwKqkby+1aWnDcJxwAaj22xDeBlpQ6mU2zCxVMCNxwY89VOhTINaVZo16cVXOodqvTUo0yqbQ6s2tax4mQBa/shRrOypdk41CssE/URgBA9TElg8jGfpAWQzS1u9SQarFFG5ZhpzM2GM2KmdgVohqqkJHgLwjDiQ/xXBPpdrv8/Ii0rhqTJ9aQ3oCTRE0/JT2xscisSBPkZcJS0ElOc/GAAAAA==); }</style></defs><rect x="0" y="0" width="773.5163227770003" height="666.726403823178" fill="#ffffff"></rect><g stroke-linecap="round" transform="translate(59.741830542830655 98.88172043010752) rotate(0 75.25766626841894 43.99253285543608)"><path d="M22 0 C61.55 0.43, 105.05 -0.27, 128.52 0 M22 0 C47.87 0.78, 73.84 -0.46, 128.52 0 M128.52 0 C144.05 -1.55, 148.76 5.67, 150.52 22 M128.52 0 C144.42 0.18, 152.62 9.38, 150.52 22 M150.52 22 C149.03 35.3, 149.69 50.8, 150.52 65.99 M150.52 22 C149.64 36.11, 150.22 50.43, 150.52 65.99 M150.52 65.99 C149.15 80.09, 143.3 86.15, 128.52 87.99 M150.52 65.99 C150.12 82.02, 145.19 88.69, 128.52 87.99 M128.52 87.99 C88.71 88.74, 52.57 85.79, 22 87.99 M128.52 87.99 C86.67 88.11, 45.53 87.26, 22 87.99 M22 87.99 C5.58 87.54, 1.4 80.14, 0 65.99 M22 87.99 C9.61 86.57, 0.23 79.47, 0 65.99 M0 65.99 C0.51 53.22, -0.01 42.55, 0 22 M0 65.99 C0.74 55.54, 0.75 45.39, 0 22 M0 22 C1.23 6.46, 6.14 1.95, 22 0 M0 22 C-1.73 5.31, 9.53 0.44, 22 0" stroke="#1971c2" stroke-width="2" fill="none"></path></g><g transform="translate(104.79949604831017 129.04012345679013) rotate(0 30.200000762939453 13.834129828753476)"><text x="30.200000762939453" y="19.500589406610914" font-family="Excalifont, Xiaolai, sans-serif, Segoe UI Emoji" font-size="22.134607726005576px" fill="#1971c2" text-anchor="middle" style="white-space: pre;" direction="ltr" dominant-baseline="alphabetic">Client</text></g><g stroke-linecap="round" transform="translate(563.8575215026077 96.94494225408204) rotate(0 75.25766626841892 43.99253285543608)"><path d="M22 0 C57.6 2.6, 94.37 -0.92, 128.52 0 M22 0 C49.41 0.64, 79.47 0.58, 128.52 0 M128.52 0 C142.73 -0.57, 151.05 7.5, 150.52 22 M128.52 0 C145.27 1.12, 149.73 5.76, 150.52 22 M150.52 22 C151.68 37.56, 152.56 53.8, 150.52 65.99 M150.52 22 C151.72 38.41, 151.49 55.18, 150.52 65.99 M150.52 65.99 C152.47 80.58, 142.47 88.01, 128.52 87.99 M150.52 65.99 C148.7 78.9, 141.18 86.01, 128.52 87.99 M128.52 87.99 C103.39 85.73, 76.67 87.48, 22 87.99 M128.52 87.99 C97.48 89.18, 64.68 88.83, 22 87.99 M22 87.99 C6.83 88.87, 0.3 79.44, 0 65.99 M22 87.99 C9.05 88.71, -1.58 81.8, 0 65.99 M0 65.99 C-1.67 52.32, 0.58 41.96, 0 22 M0 65.99 C-0.51 48.73, 0.04 33.37, 0 22 M0 22 C-0.03 8.24, 9.32 1.9, 22 0 M0 22 C0.69 7.55, 7 1.43, 22 0" stroke="#9c36b5" stroke-width="2" fill="none"></path></g><g transform="translate(605.2151862451477 127.10334528076464) rotate(0 33.900001525878906 13.83412982875349)"><text x="33.900001525878906" y="19.500589406610914" font-family="Excalifont, Xiaolai, sans-serif, Segoe UI Emoji" font-size="22.134607726005576px" fill="#9c36b5" text-anchor="middle" style="white-space: pre;" direction="ltr" dominant-baseline="alphabetic">Server</text></g><g stroke-linecap="round"><g transform="translate(222.43119732897162 134.50698993394576) rotate(0 164.93123205367016 -16.88973561923666)"><path d="M0.6 0.59 C27.63 -5, 108.24 -33.83, 163.21 -33.73 C218.18 -33.63, 302.88 -4.97, 330.41 1.18 M-0.55 -0.14 C26.34 -6.1, 107.69 -36.08, 162.82 -35.73 C217.96 -35.38, 302.7 -4.19, 330.25 1.95" stroke="#1971c2" stroke-width="2" fill="none"></path></g><g transform="translate(222.43119732897162 134.50698993394576) rotate(0 164.93123205367016 -16.88973561923666)"><path d="M305.32 3.75 C315.86 4.72, 324.82 4.18, 330.25 1.95 M305.32 3.75 C311.47 2.82, 315.08 2.39, 330.25 1.95" stroke="#1971c2" stroke-width="2" fill="none"></path></g><g transform="translate(222.43119732897162 134.50698993394576) rotate(0 164.93123205367016 -16.88973561923666)"><path d="M310 -12.7 C318.72 -5.4, 325.88 0.36, 330.25 1.95 M310 -12.7 C315.03 -10.08, 317.64 -7, 330.25 1.95" stroke="#1971c2" stroke-width="2" fill="none"></path></g></g><mask></mask><g stroke-linecap="round"><g transform="translate(551.6834872533046 152.07987604551118) rotate(0 -165.25642379807778 17.045456491482028)"><path d="M-1.13 0.92 C-29.17 6.31, -112.3 32.21, -167.1 32.71 C-221.89 33.2, -302.88 8.77, -329.89 3.88 M0.48 0.36 C-27.77 5.83, -112.5 33.47, -167.74 33.73 C-222.99 33.99, -304.14 6.78, -330.99 1.92" stroke="#9c36b5" stroke-width="2" fill="none"></path></g><g transform="translate(551.6834872533046 152.07987604551118) rotate(0 -165.25642379807778 17.045456491482028)"><path d="M-306.14 -0.74 C-314.43 1.03, -327.43 0.07, -330.99 1.92 M-306.14 -0.74 C-316.09 1.08, -324.45 0.96, -330.99 1.92" stroke="#9c36b5" stroke-width="2" fill="none"></path></g><g transform="translate(551.6834872533046 152.07987604551118) rotate(0 -165.25642379807778 17.045456491482028)"><path d="M-310.24 15.86 C-316.96 11.1, -328.33 3.56, -330.99 1.92 M-310.24 15.86 C-318.72 11.69, -325.6 5.58, -330.99 1.92" stroke="#9c36b5" stroke-width="2" fill="none"></path></g></g><mask></mask><g transform="translate(308.3872587389071 194.61389884508162) rotate(0 83.50280426888293 13.834129828753476)"><text x="0" y="19.500589406610914" font-family="Excalifont, Xiaolai, sans-serif, Segoe UI Emoji" font-size="22.134607726005576px" fill="#9c36b5" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="alphabetic">pub_key_server</text></g><g transform="translate(333.6576011521496 69) rotate(0 53.93466110715633 13.83412982875349)"><text x="0" y="19.500589406610914" font-family="Excalifont, Xiaolai, sans-serif, Segoe UI Emoji" font-size="22.134607726005576px" fill="#1971c2" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="alphabetic">ClientHello</text></g><g transform="translate(53.65481341817912 209.00139386698527) rotate(0 78.85454002389488 12.72739944245319)"><text x="0" y="17.940542254082025" font-family="Excalifont, Xiaolai, sans-serif, Segoe UI Emoji" font-size="20.363839107925113px" fill="#1971c2" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="alphabetic">identity_server</text></g><g transform="translate(19.622854039445542 265.9980087614496) rotate(0 118.14346873755471 12.72739944245319)"><text x="0" y="17.940542254082025" font-family="Excalifont, Xiaolai, sans-serif, Segoe UI Emoji" font-size="20.363839107925113px" fill="#9c36b5" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="alphabetic"> Hash( pub_key_server)</text></g><g transform="translate(116.46176284071993 238.32974910394267) rotate(0 13.834129828753476 12.72739944245319)"><text x="0" y="17.940542254082025" font-family="Excalifont, Xiaolai, sans-serif, Segoe UI Emoji" font-size="20.363839107925113px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="alphabetic">==</text></g><g stroke-linecap="round" transform="translate(57.6168305428306 464.15531660692955) rotate(0 75.25766626841897 43.99253285543608)"><path d="M22 0 C62.7 -0.7, 107.73 -1.07, 128.52 0 M22 0 C61.62 1.24, 98.88 0.3, 128.52 0 M128.52 0 C141.21 0.21, 148.55 7.91, 150.52 22 M128.52 0 C144.98 2.26, 148.63 7.01, 150.52 22 M150.52 22 C149.73 33.92, 151.94 49.22, 150.52 65.99 M150.52 22 C150.89 31.56, 150.37 40.22, 150.52 65.99 M150.52 65.99 C151.26 80.83, 142.46 88.99, 128.52 87.99 M150.52 65.99 C152.45 80.35, 144.64 86.15, 128.52 87.99 M128.52 87.99 C96.71 86.97, 62.93 89.94, 22 87.99 M128.52 87.99 C97.71 87.53, 68.17 89.06, 22 87.99 M22 87.99 C7.8 88.44, 1 79.62, 0 65.99 M22 87.99 C6.25 86.14, -1 79.25, 0 65.99 M0 65.99 C2.11 52.55, -0.41 42.31, 0 22 M0 65.99 C-0.26 50.14, -0.84 36.15, 0 22 M0 22 C1.36 6.32, 5.41 0.19, 22 0 M0 22 C2.03 9.53, 9.43 -0.56, 22 0" stroke="#1971c2" stroke-width="2" fill="none"></path></g><g transform="translate(102.67449604831006 494.3137196336121) rotate(0 30.200000762939453 13.834129828753476)"><text x="30.200000762939453" y="19.500589406610914" font-family="Excalifont, Xiaolai, sans-serif, Segoe UI Emoji" font-size="22.134607726005576px" fill="#1971c2" text-anchor="middle" style="white-space: pre;" direction="ltr" dominant-baseline="alphabetic">Client</text></g><g stroke-linecap="round" transform="translate(561.7325215026077 462.218538430904) rotate(0 75.25766626841892 43.99253285543608)"><path d="M22 0 C55.93 0.24, 85.34 1.7, 128.52 0 M22 0 C55.18 0.88, 89.35 1.06, 128.52 0 M128.52 0 C144.75 1.96, 148.88 7.06, 150.52 22 M128.52 0 C143.21 -2.27, 151.88 6.93, 150.52 22 M150.52 22 C149.05 30.41, 148.94 44.1, 150.52 65.99 M150.52 22 C151 37.44, 150.27 53.22, 150.52 65.99 M150.52 65.99 C152.2 80.39, 144.45 86.39, 128.52 87.99 M150.52 65.99 C150.76 82.72, 144.1 89.45, 128.52 87.99 M128.52 87.99 C103.87 88.18, 80.33 87.4, 22 87.99 M128.52 87.99 C104.03 89.12, 79.59 88.38, 22 87.99 M22 87.99 C6.39 86.38, -0.87 79.44, 0 65.99 M22 87.99 C6.97 86.67, -1.89 82.79, 0 65.99 M0 65.99 C1.13 54.17, -1.43 42.84, 0 22 M0 65.99 C1.11 54.41, -0.53 43.93, 0 22 M0 22 C1.76 9.24, 9.15 -0.49, 22 0 M0 22 C0.79 8.44, 8.5 -1.49, 22 0" stroke="#9c36b5" stroke-width="2" fill="none"></path></g><g transform="translate(603.0901862451477 492.37694145758667) rotate(0 33.900001525878906 13.834129828753476)"><text x="33.900001525878906" y="19.500589406610914" font-family="Excalifont, Xiaolai, sans-serif, Segoe UI Emoji" font-size="22.134607726005576px" fill="#9c36b5" text-anchor="middle" style="white-space: pre;" direction="ltr" dominant-baseline="alphabetic">Server</text></g><g stroke-linecap="round"><g transform="translate(220.3061973289715 499.7805861107678) rotate(0 165.15887856234338 -15.55386430365894)"><path d="M0.94 0.25 C27.8 -5.36, 106.67 -35.19, 161.19 -34.84 C215.71 -34.49, 300.25 -3.88, 328.07 2.35 M-0.02 -0.67 C27.19 -6.05, 108.34 -34.49, 163.4 -33.76 C218.46 -33.03, 302.96 -2.53, 330.34 3.73" stroke="#1971c2" stroke-width="2" fill="none"></path></g><g transform="translate(220.3061973289715 499.7805861107678) rotate(0 165.15887856234338 -15.55386430365894)"><path d="M305.41 5.54 C313.46 3.21, 319.2 2.26, 330.34 3.73 M305.41 5.54 C313.95 5.89, 320.1 4.21, 330.34 3.73" stroke="#1971c2" stroke-width="2" fill="none"></path></g><g transform="translate(220.3061973289715 499.7805861107678) rotate(0 165.15887856234338 -15.55386430365894)"><path d="M310.08 -10.91 C316.54 -8.18, 320.86 -4.1, 330.34 3.73 M310.08 -10.91 C317.01 -5.44, 321.71 -2.01, 330.34 3.73" stroke="#1971c2" stroke-width="2" fill="none"></path></g></g><mask></mask><g stroke-linecap="round"><g transform="translate(549.5584872533046 517.3534722223332) rotate(0 -164.83800627189225 17.26962635652268)"><path d="M-0.95 -0.87 C-29.25 4.72, -113.94 33.08, -168.85 33.81 C-223.77 34.54, -303.85 8.41, -330.43 3.5 M0.75 1.28 C-27.28 7.07, -111.95 35.4, -166.76 35.41 C-221.58 35.42, -301.35 6.84, -328.15 1.34" stroke="#9c36b5" stroke-width="2" fill="none"></path></g><g transform="translate(549.5584872533046 517.3534722223332) rotate(0 -164.83800627189225 17.26962635652268)"><path d="M-303.25 -0.8 C-314.13 -2.16, -321.88 -1.34, -328.15 1.34 M-303.25 -0.8 C-312.24 0.01, -319.59 -0.14, -328.15 1.34" stroke="#9c36b5" stroke-width="2" fill="none"></path></g><g transform="translate(549.5584872533046 517.3534722223332) rotate(0 -164.83800627189225 17.26962635652268)"><path d="M-307.7 15.71 C-316.93 8.13, -323 2.71, -328.15 1.34 M-307.7 15.71 C-315.35 11.05, -321.24 5.48, -328.15 1.34" stroke="#9c36b5" stroke-width="2" fill="none"></path></g></g><mask></mask><g transform="translate(306.262258738907 559.8874950219036) rotate(0 83.50280426888293 13.834129828753476)"><text x="0" y="19.500589406610914" font-family="Excalifont, Xiaolai, sans-serif, Segoe UI Emoji" font-size="22.134607726005576px" fill="#9c36b5" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="alphabetic">pub_key_server</text></g><g transform="translate(307.0326011521496 435.273596176822) rotate(0 79.83333587646484 13.834129828753476)"><text x="0" y="19.500589406610914" font-family="Excalifont, Xiaolai, sans-serif, Segoe UI Emoji" font-size="22.134607726005576px" fill="#1971c2" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="alphabetic">pub_key_client</text></g><g transform="translate(51.52981341817906 574.2749900438073) rotate(0 78.85454002389486 12.72739944245319)"><text x="0" y="17.940542254082025" font-family="Excalifont, Xiaolai, sans-serif, Segoe UI Emoji" font-size="20.363839107925113px" fill="#1971c2" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="alphabetic">identity_server</text></g><g transform="translate(17.497854039445542 631.2716049382716) rotate(0 118.14346873755471 12.72739944245319)"><text x="0" y="17.940542254082025" font-family="Excalifont, Xiaolai, sans-serif, Segoe UI Emoji" font-size="20.363839107925113px" fill="#9c36b5" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="alphabetic"> Hash( pub_key_server)</text></g><g transform="translate(114.33676284071987 603.6033452807646) rotate(0 13.834129828753476 12.72739944245319)"><text x="0" y="17.940542254082025" font-family="Excalifont, Xiaolai, sans-serif, Segoe UI Emoji" font-size="20.363839107925113px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="alphabetic">==</text></g><g transform="translate(561.2613446806243 573.7742931103146) rotate(0 78.85454002389486 12.72739944245319)"><text x="0" y="17.940542254082025" font-family="Excalifont, Xiaolai, sans-serif, Segoe UI Emoji" font-size="20.363839107925113px" fill="#9c36b5" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="alphabetic">identity_client</text></g><g transform="translate(527.2293853018908 630.7709080047789) rotate(0 118.14346873755471 12.72739944245319)"><text x="0" y="17.940542254082025" font-family="Excalifont, Xiaolai, sans-serif, Segoe UI Emoji" font-size="20.363839107925113px" fill="#1971c2" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="alphabetic"> Hash( pub_key_client)</text></g><g transform="translate(624.0682941031652 603.102648347272) rotate(0 13.834129828753476 12.72739944245319)"><text x="0" y="17.940542254082025" font-family="Excalifont, Xiaolai, sans-serif, Segoe UI Emoji" font-size="20.363839107925113px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="alphabetic">==</text></g><g stroke-linecap="round"><g transform="translate(10.372854039445542 344.5) rotate(0 375.64047180078927 -2.8857041027396804)"><path d="M-0.37 -0.44 C124.91 -1.13, 626.31 -4.38, 751.65 -5.33 M1.63 -1.71 C126.73 -2.13, 625.67 -3.35, 750.52 -3.97" stroke="#1e1e1e" stroke-width="2" fill="none"></path></g></g><mask></mask><g transform="translate(22.372854039445542 10) rotate(0 246.75 12.5)"><text x="0" y="17.619999999999997" font-family="Excalifont, Xiaolai, sans-serif, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="alphabetic">TLS Handshake ( server authenticates to client )</text></g><g transform="translate(24.372854039445542 383.5) rotate(0 367.25 12.5)"><text x="0" y="17.619999999999997" font-family="Excalifont, Xiaolai, sans-serif, Segoe UI Emoji" font-size="20px" fill="#1e1e1e" text-anchor="start" style="white-space: pre;" direction="ltr" dominant-baseline="alphabetic">Mutual TLS Handshake ( client auth. to server and server auth. to client )</text></g></svg>
\ No newline at end of file
diff --git a/README.md b/README.md
index 84db9af..2ac117a 100644
--- a/README.md
+++ b/README.md
@@ -1,12 +1,45 @@
 [![Go Reference](https://pkg.go.dev/badge/aead.dev/mtls.svg)](https://pkg.go.dev/aead.dev/mtls)
 
-# Mutual TLS
+# [m]TLS
 
-## Install
+A Go library for TLS/HTTPS using public key pinning instead of certificate authorities.
+
+**The Problem**
+
+Usually TLS/HTTPS relies on certificate authorities (CAs) to establish trust. This means:
+- Obtaining and renewing certificates from CAs
+- Managing certificate chains and trust stores
+- Trusting any certificate signed by a trusted CA
+
+For services that communicate with known peers, for example a web and DB server, this is overkill.
+
+**The Solution**
+
+This library takes an SSH-like approach to TLS authentication. Just like SSH's `known_hosts` file lets you trust
+specific server keys directly, `mtls` lets you identify peers by their public key hash rather than CA signatures.
+
+```
+h1:2eYrKRe4K9Xf_HjOhdJjNPuH5P8sLN9XNgdgZKfqt1A
+```
+
+That's it. No certificates to issue, no chains to verify, no CAs to manage.
+
+## Getting Started
 
 ```sh
 go get aead.dev/mtls@latest
 ```
 
-The [documentation](https://pkg.go.dev/aead.dev/mtls) contains some [examples](https://pkg.go.dev/aead.dev/mtls#pkg-examples)
-for TLS clients and servers to get started.
+This downloads the `mtls` module. It has no dependencies.
+
+Add the `aead.dev/mtls` module to your `go.mod` file.
+The documentation contains [examples](https://pkg.go.dev/aead.dev/mtls#example-package) on how to configure clients and servers.
+
+## How It Works
+
+1. Generate a private/public key pair.
+2. Peers exchange identities (SHA-256 hash of public key) out-of-band.
+   For example, as part of their configuration.
+3. During the TLS handshake, one or both sides verify that the other's public key matches the expected identity.
+
+![TLS Handshakes](./.github/tls-handshakes.svg)